2 * Copyright (C) 2010 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
20 #include "smatch_slist.h"
21 #include "smatch_extra.h"
23 static struct range_list
*_get_rl(struct expression
*expr
, int implied
, int *recurse_cnt
);
24 static struct range_list
*handle_variable(struct expression
*expr
, int implied
, int *recurse_cnt
);
25 static struct range_list
*(*custom_handle_variable
)(struct expression
*expr
);
27 static sval_t zero
= {.type
= &int_ctype
, {.value
= 0} };
28 static sval_t one
= {.type
= &int_ctype
, {.value
= 1} };
30 struct range_list
*rl_zero(void)
32 return alloc_rl(zero
, zero
);
35 struct range_list
*rl_one(void)
37 return alloc_rl(one
, one
);
48 static struct range_list
*last_stmt_rl(struct statement
*stmt
, int implied
, int *recurse_cnt
)
53 stmt
= last_ptr_list((struct ptr_list
*)stmt
->stmts
);
54 if (stmt
->type
!= STMT_EXPRESSION
)
56 return _get_rl(stmt
->expression
, implied
, recurse_cnt
);
59 static struct range_list
*handle_expression_statement_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
61 return last_stmt_rl(get_expression_statement(expr
), implied
, recurse_cnt
);
64 static struct range_list
*handle_ampersand_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
66 struct range_list
*rl
;
68 if (implied
== RL_EXACT
|| implied
== RL_HARD
)
70 if (get_address_rl(expr
, &rl
))
72 return alloc_rl(valid_ptr_min_sval
, valid_ptr_max_sval
);
75 static struct range_list
*handle_negate_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
77 if (known_condition_true(expr
->unop
))
79 if (known_condition_false(expr
->unop
))
82 if (implied
== RL_EXACT
)
85 if (implied_condition_true(expr
->unop
))
87 if (implied_condition_false(expr
->unop
))
89 return alloc_rl(zero
, one
);
92 static struct range_list
*handle_bitwise_negate(struct expression
*expr
, int implied
, int *recurse_cnt
)
94 struct range_list
*rl
;
97 rl
= _get_rl(expr
->unop
, implied
, recurse_cnt
);
98 if (!rl_to_sval(rl
, &sval
))
100 sval
= sval_preop(sval
, '~');
101 sval_cast(get_type(expr
->unop
), sval
);
102 return alloc_rl(sval
, sval
);
105 static struct range_list
*handle_minus_preop(struct expression
*expr
, int implied
, int *recurse_cnt
)
107 struct range_list
*rl
;
110 rl
= _get_rl(expr
->unop
, implied
, recurse_cnt
);
111 if (!rl_to_sval(rl
, &sval
))
113 sval
= sval_preop(sval
, '-');
114 return alloc_rl(sval
, sval
);
117 static struct range_list
*handle_preop_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
121 return handle_ampersand_rl(expr
, implied
, recurse_cnt
);
123 return handle_negate_rl(expr
, implied
, recurse_cnt
);
125 return handle_bitwise_negate(expr
, implied
, recurse_cnt
);
127 return handle_minus_preop(expr
, implied
, recurse_cnt
);
129 return handle_variable(expr
, implied
, recurse_cnt
);
131 return handle_expression_statement_rl(expr
, implied
, recurse_cnt
);
137 static struct range_list
*handle_divide_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
139 struct range_list
*left_rl
, *right_rl
;
142 type
= get_type(expr
);
144 left_rl
= _get_rl(expr
->left
, implied
, recurse_cnt
);
145 left_rl
= cast_rl(type
, left_rl
);
146 right_rl
= _get_rl(expr
->right
, implied
, recurse_cnt
);
147 right_rl
= cast_rl(type
, right_rl
);
149 if (!left_rl
|| !right_rl
)
151 if (is_whole_rl(left_rl
) || is_whole_rl(right_rl
))
154 return rl_binop(left_rl
, '/', right_rl
);
157 static struct range_list
*handle_subtract_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
160 struct range_list
*left_rl
, *right_rl
;
161 sval_t max
, min
, tmp
;
164 type
= get_type(expr
);
165 comparison
= get_comparison(expr
->left
, expr
->right
);
167 left_rl
= _get_rl(expr
->left
, implied
, recurse_cnt
);
168 left_rl
= cast_rl(type
, left_rl
);
169 right_rl
= _get_rl(expr
->right
, implied
, recurse_cnt
);
170 right_rl
= cast_rl(type
, right_rl
);
172 if ((!left_rl
|| !right_rl
) &&
173 (implied
== RL_EXACT
|| implied
== RL_HARD
|| implied
== RL_FUZZY
))
177 left_rl
= alloc_whole_rl(type
);
179 right_rl
= alloc_whole_rl(type
);
181 /* negative values complicate everything fix this later */
182 if (sval_is_negative(rl_min(right_rl
)))
184 max
= rl_max(left_rl
);
186 switch (comparison
) {
188 case SPECIAL_UNSIGNED_GT
:
189 min
= sval_type_val(type
, 1);
190 max
= rl_max(left_rl
);
193 case SPECIAL_UNSIGNED_GTE
:
194 min
= sval_type_val(type
, 0);
195 max
= rl_max(left_rl
);
198 if (sval_binop_overflows(rl_min(left_rl
), '-', rl_max(right_rl
)))
200 min
= sval_type_min(type
);
203 if (!sval_binop_overflows(rl_min(left_rl
), '-', rl_max(right_rl
))) {
204 tmp
= sval_binop(rl_min(left_rl
), '-', rl_max(right_rl
));
205 if (sval_cmp(tmp
, min
) > 0)
209 if (!sval_is_max(rl_max(left_rl
))) {
210 tmp
= sval_binop(rl_max(left_rl
), '-', rl_min(right_rl
));
211 if (sval_cmp(tmp
, max
) < 0)
215 if (sval_is_min(min
) && sval_is_max(max
))
218 return cast_rl(type
, alloc_rl(min
, max
));
221 static struct range_list
*handle_mod_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
223 struct range_list
*rl
;
224 sval_t left
, right
, sval
;
226 if (implied
== RL_EXACT
) {
227 if (!get_value(expr
->right
, &right
))
229 if (!get_value(expr
->left
, &left
))
231 sval
= sval_binop(left
, '%', right
);
232 return alloc_rl(sval
, sval
);
234 /* if we can't figure out the right side it's probably hopeless */
235 if (!get_implied_value(expr
->right
, &right
))
238 right
= sval_cast(get_type(expr
), right
);
241 rl
= _get_rl(expr
->left
, implied
, recurse_cnt
);
242 if (rl
&& rl_max(rl
).uvalue
< right
.uvalue
)
243 right
.uvalue
= rl_max(rl
).uvalue
;
245 return alloc_rl(zero
, right
);
248 static sval_t
sval_lowest_set_bit(sval_t sval
)
253 for (i
= 0; i
< 64; i
++) {
254 if (sval
.uvalue
& 1ULL << i
) {
257 sval
.uvalue
&= ~(1ULL << i
);
263 static struct range_list
*handle_bitwise_AND(struct expression
*expr
, int implied
, int *recurse_cnt
)
266 struct range_list
*left_rl
, *right_rl
;
269 if (implied
!= RL_IMPLIED
&& implied
!= RL_ABSOLUTE
)
272 type
= get_type(expr
);
274 if (get_implied_value(expr
->left
, &known
)) {
277 min
= sval_lowest_set_bit(known
);
278 left_rl
= alloc_rl(min
, known
);
279 left_rl
= cast_rl(type
, left_rl
);
280 add_range(&left_rl
, sval_type_val(type
, 0), sval_type_val(type
, 0));
282 left_rl
= _get_rl(expr
->left
, implied
, recurse_cnt
);
284 left_rl
= cast_rl(type
, left_rl
);
285 left_rl
= alloc_rl(sval_type_val(type
, 0), rl_max(left_rl
));
287 if (implied
== RL_HARD
)
289 left_rl
= alloc_whole_rl(type
);
293 if (get_implied_value(expr
->right
, &known
)) {
294 sval_t min
, left_max
, mod
;
296 min
= sval_lowest_set_bit(known
);
297 right_rl
= alloc_rl(min
, known
);
298 right_rl
= cast_rl(type
, right_rl
);
299 add_range(&right_rl
, sval_type_val(type
, 0), sval_type_val(type
, 0));
301 if (min
.value
!= 0) {
302 left_max
= rl_max(left_rl
);
303 mod
= sval_binop(left_max
, '%', min
);
305 left_max
= sval_binop(left_max
, '-', mod
);
307 if (left_max
.value
> 0 && sval_cmp(left_max
, rl_max(left_rl
)) < 0)
308 left_rl
= remove_range(left_rl
, left_max
, rl_max(left_rl
));
312 right_rl
= _get_rl(expr
->right
, implied
, recurse_cnt
);
314 right_rl
= cast_rl(type
, right_rl
);
315 right_rl
= alloc_rl(sval_type_val(type
, 0), rl_max(right_rl
));
317 if (implied
== RL_HARD
)
319 right_rl
= alloc_whole_rl(type
);
323 return rl_intersection(left_rl
, right_rl
);
326 static struct range_list
*handle_bitwise_OR(struct expression
*expr
, int implied
, int *recurse_cnt
)
329 struct range_list
*left_rl
, *right_rl
;
331 if (implied
!= RL_IMPLIED
&& implied
!= RL_ABSOLUTE
)
334 type
= get_type(expr
);
336 get_absolute_rl(expr
->left
, &left_rl
);
337 get_absolute_rl(expr
->right
, &right_rl
);
338 left_rl
= cast_rl(type
, left_rl
);
339 right_rl
= cast_rl(type
, right_rl
);
340 if (!left_rl
|| !right_rl
)
343 return rl_binop(left_rl
, '|', right_rl
);
346 static struct range_list
*handle_right_shift(struct expression
*expr
, int implied
, int *recurse_cnt
)
348 struct range_list
*left_rl
;
352 if (implied
== RL_EXACT
|| implied
== RL_HARD
)
355 left_rl
= _get_rl(expr
->left
, implied
, recurse_cnt
);
357 max
= rl_max(left_rl
);
358 min
= rl_min(left_rl
);
360 if (implied
== RL_FUZZY
)
362 max
= sval_type_max(get_type(expr
->left
));
363 min
= sval_type_val(get_type(expr
->left
), 0);
366 if (get_implied_value(expr
->right
, &right
)) {
367 min
= sval_binop(min
, SPECIAL_RIGHTSHIFT
, right
);
368 max
= sval_binop(max
, SPECIAL_RIGHTSHIFT
, right
);
369 } else if (!sval_is_negative(min
)) {
371 max
= sval_type_max(max
.type
);
376 return alloc_rl(min
, max
);
379 static struct range_list
*handle_left_shift(struct expression
*expr
, int implied
, int *recurse_cnt
)
381 struct range_list
*left_rl
, *res
;
386 if (implied
== RL_EXACT
|| implied
== RL_HARD
)
388 /* this is hopeless without the right side */
389 if (!get_implied_value(expr
->right
, &right
))
391 left_rl
= _get_rl(expr
->left
, implied
, recurse_cnt
);
393 max
= rl_max(left_rl
);
394 min
= rl_min(left_rl
);
395 if (min
.value
== 0) {
400 if (implied
== RL_FUZZY
)
402 max
= sval_type_max(get_type(expr
->left
));
403 min
= sval_type_val(get_type(expr
->left
), 1);
407 max
= sval_binop(max
, SPECIAL_LEFTSHIFT
, right
);
408 min
= sval_binop(min
, SPECIAL_LEFTSHIFT
, right
);
409 res
= alloc_rl(min
, max
);
411 res
= rl_union(res
, rl_zero());
415 static struct range_list
*handle_known_binop(struct expression
*expr
)
419 if (!get_value(expr
->left
, &left
))
421 if (!get_value(expr
->right
, &right
))
423 left
= sval_binop(left
, expr
->op
, right
);
424 return alloc_rl(left
, left
);
427 static int has_actual_ranges(struct range_list
*rl
)
429 struct data_range
*tmp
;
431 FOR_EACH_PTR(rl
, tmp
) {
432 if (sval_cmp(tmp
->min
, tmp
->max
) != 0)
434 } END_FOR_EACH_PTR(tmp
);
438 static struct range_list
*handle_implied_binop(struct range_list
*left_rl
, int op
, struct range_list
*right_rl
)
440 struct range_list
*res_rl
;
441 struct data_range
*left_drange
, *right_drange
;
444 if (!left_rl
|| !right_rl
)
446 if (has_actual_ranges(left_rl
))
448 if (has_actual_ranges(right_rl
))
451 if (ptr_list_size((struct ptr_list
*)left_rl
) * ptr_list_size((struct ptr_list
*)right_rl
) > 20)
456 FOR_EACH_PTR(left_rl
, left_drange
) {
457 FOR_EACH_PTR(right_rl
, right_drange
) {
458 if ((op
== '%' || op
== '/') &&
459 right_drange
->min
.value
== 0)
461 res
= sval_binop(left_drange
->min
, op
, right_drange
->min
);
462 add_range(&res_rl
, res
, res
);
463 } END_FOR_EACH_PTR(right_drange
);
464 } END_FOR_EACH_PTR(left_drange
);
469 static struct range_list
*handle_binop_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
472 struct range_list
*left_rl
, *right_rl
, *rl
;
475 rl
= handle_known_binop(expr
);
478 if (implied
== RL_EXACT
)
481 type
= get_type(expr
);
482 left_rl
= _get_rl(expr
->left
, implied
, recurse_cnt
);
483 left_rl
= cast_rl(type
, left_rl
);
484 right_rl
= _get_rl(expr
->right
, implied
, recurse_cnt
);
485 right_rl
= cast_rl(type
, right_rl
);
487 rl
= handle_implied_binop(left_rl
, expr
->op
, right_rl
);
493 return handle_mod_rl(expr
, implied
, recurse_cnt
);
495 return handle_bitwise_AND(expr
, implied
, recurse_cnt
);
497 return handle_bitwise_OR(expr
, implied
, recurse_cnt
);
498 case SPECIAL_RIGHTSHIFT
:
499 return handle_right_shift(expr
, implied
, recurse_cnt
);
500 case SPECIAL_LEFTSHIFT
:
501 return handle_left_shift(expr
, implied
, recurse_cnt
);
503 return handle_subtract_rl(expr
, implied
, recurse_cnt
);
505 return handle_divide_rl(expr
, implied
, recurse_cnt
);
508 if (!left_rl
|| !right_rl
)
511 if (sval_binop_overflows(rl_min(left_rl
), expr
->op
, rl_min(right_rl
)))
513 min
= sval_binop(rl_min(left_rl
), expr
->op
, rl_min(right_rl
));
515 if (sval_binop_overflows(rl_max(left_rl
), expr
->op
, rl_max(right_rl
))) {
521 max
= sval_type_max(get_type(expr
));
524 max
= sval_binop(rl_max(left_rl
), expr
->op
, rl_max(right_rl
));
527 return alloc_rl(min
, max
);
530 static int do_comparison(struct expression
*expr
)
532 struct range_list
*left_ranges
= NULL
;
533 struct range_list
*right_ranges
= NULL
;
534 int poss_true
, poss_false
;
537 type
= get_type(expr
);
538 get_absolute_rl(expr
->left
, &left_ranges
);
539 get_absolute_rl(expr
->right
, &right_ranges
);
541 left_ranges
= cast_rl(type
, left_ranges
);
542 right_ranges
= cast_rl(type
, right_ranges
);
544 poss_true
= possibly_true_rl(left_ranges
, expr
->op
, right_ranges
);
545 poss_false
= possibly_false_rl(left_ranges
, expr
->op
, right_ranges
);
547 free_rl(&left_ranges
);
548 free_rl(&right_ranges
);
550 if (!poss_true
&& !poss_false
)
552 if (poss_true
&& !poss_false
)
554 if (!poss_true
&& poss_false
)
559 static struct range_list
*handle_comparison_rl(struct expression
*expr
, int implied
)
564 if (get_value(expr
->left
, &left
) && get_value(expr
->right
, &right
)) {
565 struct data_range tmp_left
, tmp_right
;
569 tmp_right
.min
= right
;
570 tmp_right
.max
= right
;
571 if (true_comparison_range(&tmp_left
, expr
->op
, &tmp_right
))
576 if (implied
== RL_EXACT
)
579 res
= do_comparison(expr
);
585 return alloc_rl(zero
, one
);
588 static struct range_list
*handle_logical_rl(struct expression
*expr
, int implied
)
594 if (implied
== RL_EXACT
) {
595 if (get_value(expr
->left
, &left
))
597 if (get_value(expr
->right
, &right
))
600 if (get_implied_value(expr
->left
, &left
))
602 if (get_implied_value(expr
->right
, &right
))
607 case SPECIAL_LOGICAL_OR
:
608 if (left_known
&& left
.value
)
610 if (right_known
&& right
.value
)
612 if (left_known
&& right_known
)
615 case SPECIAL_LOGICAL_AND
:
616 if (left_known
&& right_known
) {
617 if (left
.value
&& right
.value
)
626 if (implied
== RL_EXACT
)
629 return alloc_rl(zero
, one
);
632 static struct range_list
*handle_conditional_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
634 struct range_list
*true_rl
, *false_rl
;
636 int final_pass_orig
= final_pass
;
638 if (known_condition_true(expr
->conditional
))
639 return _get_rl(expr
->cond_true
, implied
, recurse_cnt
);
640 if (known_condition_false(expr
->conditional
))
641 return _get_rl(expr
->cond_false
, implied
, recurse_cnt
);
643 if (implied
== RL_EXACT
)
646 if (implied_condition_true(expr
->conditional
))
647 return _get_rl(expr
->cond_true
, implied
, recurse_cnt
);
648 if (implied_condition_false(expr
->conditional
))
649 return _get_rl(expr
->cond_false
, implied
, recurse_cnt
);
652 /* this becomes a problem with deeply nested conditional statements */
656 type
= get_type(expr
);
658 __push_fake_cur_stree();
660 __split_whole_condition(expr
->conditional
);
661 true_rl
= _get_rl(expr
->cond_true
, implied
, recurse_cnt
);
662 __push_true_states();
663 __use_false_states();
664 false_rl
= _get_rl(expr
->cond_false
, implied
, recurse_cnt
);
665 __merge_true_states();
666 __free_fake_cur_stree();
667 final_pass
= final_pass_orig
;
669 if (!true_rl
|| !false_rl
)
671 true_rl
= cast_rl(type
, true_rl
);
672 false_rl
= cast_rl(type
, false_rl
);
674 return rl_union(true_rl
, false_rl
);
677 static int get_fuzzy_max_helper(struct expression
*expr
, sval_t
*max
)
679 struct smatch_state
*state
;
682 if (get_hard_max(expr
, &sval
)) {
687 state
= get_extra_state(expr
);
688 if (!state
|| !estate_has_fuzzy_max(state
))
690 *max
= sval_cast(get_type(expr
), estate_get_fuzzy_max(state
));
694 static int get_fuzzy_min_helper(struct expression
*expr
, sval_t
*min
)
696 struct smatch_state
*state
;
699 state
= get_extra_state(expr
);
700 if (!state
|| !estate_rl(state
))
703 sval
= estate_min(state
);
704 if (sval_is_negative(sval
) && sval_is_min(sval
))
707 if (sval_is_max(sval
))
710 *min
= sval_cast(get_type(expr
), sval
);
714 int get_const_value(struct expression
*expr
, sval_t
*sval
)
719 if (expr
->type
!= EXPR_SYMBOL
|| !expr
->symbol
)
722 if (!(sym
->ctype
.modifiers
& MOD_CONST
))
724 if (get_value(sym
->initializer
, &right
)) {
725 *sval
= sval_cast(get_type(expr
), right
);
731 struct range_list
*var_to_absolute_rl(struct expression
*expr
)
733 struct smatch_state
*state
;
734 struct range_list
*rl
;
736 state
= get_extra_state(expr
);
738 if (get_local_rl(expr
, &rl
))
740 if (get_db_type_rl(expr
, &rl
))
742 return alloc_whole_rl(get_type(expr
));
744 /* err on the side of saying things are possible */
745 if (!estate_rl(state
))
746 return alloc_whole_rl(get_type(expr
));
747 return clone_rl(estate_rl(state
));
750 static struct range_list
*handle_variable(struct expression
*expr
, int implied
, int *recurse_cnt
)
752 struct smatch_state
*state
;
753 struct range_list
*rl
;
754 sval_t sval
, min
, max
;
756 if (get_const_value(expr
, &sval
))
757 return alloc_rl(sval
, sval
);
759 if (custom_handle_variable
) {
760 rl
= custom_handle_variable(expr
);
762 return var_to_absolute_rl(expr
);
772 state
= get_extra_state(expr
);
773 if (!state
|| !state
->data
) {
774 if (implied
== RL_HARD
)
776 if (get_local_rl(expr
, &rl
))
778 if (get_db_type_rl(expr
, &rl
))
782 if (implied
== RL_HARD
&& !estate_has_hard_max(state
))
784 return clone_rl(estate_rl(state
));
786 if (!get_fuzzy_min_helper(expr
, &min
))
787 min
= sval_type_min(get_type(expr
));
788 if (!get_fuzzy_max_helper(expr
, &max
))
790 /* fuzzy ranges are often inverted */
791 if (sval_cmp(min
, max
) > 0) {
796 return alloc_rl(min
, max
);
801 static sval_t
handle_sizeof(struct expression
*expr
)
806 ret
= sval_blank(expr
);
807 sym
= expr
->cast_type
;
809 sym
= evaluate_expression(expr
->cast_expression
);
811 * Expressions of restricted types will possibly get
812 * promoted - check that here
814 if (is_restricted_type(sym
)) {
815 if (type_bits(sym
) < bits_in_int
)
817 } else if (is_fouled_type(sym
)) {
821 examine_symbol_type(sym
);
823 ret
.type
= size_t_ctype
;
824 if (type_bits(sym
) <= 0) /* sizeof(void) */ {
825 if (get_real_base_type(sym
) == &void_ctype
)
830 ret
.value
= type_bytes(sym
);
835 static struct range_list
*handle_call_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
837 struct range_list
*rl
;
839 if (sym_name_is("__builtin_expect", expr
->fn
)) {
840 struct expression
*arg
;
842 arg
= get_argument_from_call_expr(expr
->args
, 0);
843 return _get_rl(arg
, implied
, recurse_cnt
);
846 if (implied
== RL_EXACT
|| implied
== RL_HARD
|| implied
== RL_FUZZY
)
849 if (get_implied_return(expr
, &rl
))
851 return db_return_vals(expr
);
854 static struct range_list
*handle_cast(struct expression
*expr
, int implied
, int *recurse_cnt
)
856 struct range_list
*rl
;
859 type
= get_type(expr
);
860 rl
= _get_rl(expr
->cast_expression
, implied
, recurse_cnt
);
862 return cast_rl(type
, rl
);
863 if (implied
== RL_ABSOLUTE
)
864 return alloc_whole_rl(type
);
865 if (implied
== RL_IMPLIED
&& type
&&
866 type_bits(type
) > 0 && type_bits(type
) < 32)
867 return alloc_whole_rl(type
);
871 static struct range_list
*_get_rl(struct expression
*expr
, int implied
, int *recurse_cnt
)
873 struct range_list
*rl
;
877 type
= get_type(expr
);
878 expr
= strip_parens(expr
);
882 if (++(*recurse_cnt
) >= 200)
887 case EXPR_FORCE_CAST
:
888 case EXPR_IMPLIED_CAST
:
889 rl
= handle_cast(expr
, implied
, recurse_cnt
);
893 expr
= strip_expr(expr
);
897 switch (expr
->type
) {
899 sval
= sval_from_val(expr
, expr
->value
);
900 rl
= alloc_rl(sval
, sval
);
903 rl
= handle_preop_rl(expr
, implied
, recurse_cnt
);
906 rl
= _get_rl(expr
->unop
, implied
, recurse_cnt
);
909 rl
= handle_binop_rl(expr
, implied
, recurse_cnt
);
912 rl
= handle_comparison_rl(expr
, implied
);
915 rl
= handle_logical_rl(expr
, implied
);
919 sval
= handle_sizeof(expr
);
920 rl
= alloc_rl(sval
, sval
);
923 case EXPR_CONDITIONAL
:
924 rl
= handle_conditional_rl(expr
, implied
, recurse_cnt
);
927 rl
= handle_call_rl(expr
, implied
, recurse_cnt
);
930 rl
= handle_variable(expr
, implied
, recurse_cnt
);
936 if (type
&& implied
== RL_ABSOLUTE
)
937 return alloc_whole_rl(type
);
941 /* returns 1 if it can get a value literal or else returns 0 */
942 int get_value(struct expression
*expr
, sval_t
*sval
)
944 struct range_list
*rl
;
947 rl
= _get_rl(expr
, RL_EXACT
, &recurse_cnt
);
948 if (!rl_to_sval(rl
, sval
))
953 int get_implied_value(struct expression
*expr
, sval_t
*sval
)
955 struct range_list
*rl
;
958 rl
= _get_rl(expr
, RL_IMPLIED
, &recurse_cnt
);
959 if (!rl_to_sval(rl
, sval
))
964 int get_implied_min(struct expression
*expr
, sval_t
*sval
)
966 struct range_list
*rl
;
969 rl
= _get_rl(expr
, RL_IMPLIED
, &recurse_cnt
);
976 int get_implied_max(struct expression
*expr
, sval_t
*sval
)
978 struct range_list
*rl
;
981 rl
= _get_rl(expr
, RL_IMPLIED
, &recurse_cnt
);
988 int get_implied_rl(struct expression
*expr
, struct range_list
**rl
)
992 *rl
= _get_rl(expr
, RL_IMPLIED
, &recurse_cnt
);
998 int get_absolute_rl(struct expression
*expr
, struct range_list
**rl
)
1000 int recurse_cnt
= 0;
1002 *rl
= _get_rl(expr
, RL_ABSOLUTE
, &recurse_cnt
);
1004 *rl
= alloc_whole_rl(get_type(expr
));
1008 int custom_get_absolute_rl(struct expression
*expr
,
1009 struct range_list
*(*fn
)(struct expression
*expr
),
1010 struct range_list
**rl
)
1012 int recurse_cnt
= 0;
1015 custom_handle_variable
= fn
;
1016 *rl
= _get_rl(expr
, RL_ABSOLUTE
, &recurse_cnt
);
1017 custom_handle_variable
= NULL
;
1021 int get_implied_rl_var_sym(const char *var
, struct symbol
*sym
, struct range_list
**rl
)
1023 struct smatch_state
*state
;
1025 state
= get_state(SMATCH_EXTRA
, var
, sym
);
1026 *rl
= estate_rl(state
);
1032 int get_hard_max(struct expression
*expr
, sval_t
*sval
)
1034 struct range_list
*rl
;
1035 int recurse_cnt
= 0;
1037 rl
= _get_rl(expr
, RL_HARD
, &recurse_cnt
);
1044 int get_fuzzy_min(struct expression
*expr
, sval_t
*sval
)
1046 struct range_list
*rl
;
1048 int recurse_cnt
= 0;
1050 rl
= _get_rl(expr
, RL_FUZZY
, &recurse_cnt
);
1054 if (sval_is_negative(tmp
) && sval_is_min(tmp
))
1060 int get_fuzzy_max(struct expression
*expr
, sval_t
*sval
)
1062 struct range_list
*rl
;
1064 int recurse_cnt
= 0;
1066 rl
= _get_rl(expr
, RL_FUZZY
, &recurse_cnt
);
1070 if (max
.uvalue
> INT_MAX
- 10000)
1076 int get_absolute_min(struct expression
*expr
, sval_t
*sval
)
1078 struct range_list
*rl
;
1079 struct symbol
*type
;
1080 int recurse_cnt
= 0;
1082 type
= get_type(expr
);
1084 type
= &llong_ctype
; // FIXME: this is wrong but places assume get type can't fail.
1085 rl
= _get_rl(expr
, RL_ABSOLUTE
, &recurse_cnt
);
1089 *sval
= sval_type_min(type
);
1091 if (sval_cmp(*sval
, sval_type_min(type
)) < 0)
1092 *sval
= sval_type_min(type
);
1096 int get_absolute_max(struct expression
*expr
, sval_t
*sval
)
1098 struct range_list
*rl
;
1099 struct symbol
*type
;
1100 int recurse_cnt
= 0;
1102 type
= get_type(expr
);
1104 type
= &llong_ctype
;
1105 rl
= _get_rl(expr
, RL_ABSOLUTE
, &recurse_cnt
);
1109 *sval
= sval_type_max(type
);
1111 if (sval_cmp(sval_type_max(type
), *sval
) < 0)
1112 *sval
= sval_type_max(type
);
1116 int known_condition_true(struct expression
*expr
)
1123 if (get_value(expr
, &tmp
) && tmp
.value
)
1129 int known_condition_false(struct expression
*expr
)
1137 if (expr
->type
== EXPR_CALL
) {
1138 if (sym_name_is("__builtin_constant_p", expr
->fn
))
1144 int implied_condition_true(struct expression
*expr
)
1151 if (known_condition_true(expr
))
1153 if (get_implied_value(expr
, &tmp
) && tmp
.value
)
1156 if (expr
->type
== EXPR_POSTOP
)
1157 return implied_condition_true(expr
->unop
);
1159 if (expr
->type
== EXPR_PREOP
&& expr
->op
== SPECIAL_DECREMENT
)
1160 return implied_not_equal(expr
->unop
, 1);
1161 if (expr
->type
== EXPR_PREOP
&& expr
->op
== SPECIAL_INCREMENT
)
1162 return implied_not_equal(expr
->unop
, -1);
1164 expr
= strip_expr(expr
);
1165 switch (expr
->type
) {
1167 if (do_comparison(expr
) == 1)
1171 if (expr
->op
== '!') {
1172 if (implied_condition_false(expr
->unop
))
1178 if (implied_not_equal(expr
, 0) == 1)
1185 int implied_condition_false(struct expression
*expr
)
1187 struct expression
*tmp
;
1193 if (known_condition_false(expr
))
1196 switch (expr
->type
) {
1198 if (do_comparison(expr
) == 2)
1201 if (expr
->op
== '!') {
1202 if (implied_condition_true(expr
->unop
))
1206 tmp
= strip_expr(expr
);
1208 return implied_condition_false(tmp
);
1211 if (get_implied_value(expr
, &sval
) && sval
.value
== 0)
1218 int can_integer_overflow(struct symbol
*type
, struct expression
*expr
)
1221 sval_t lmax
, rmax
, res
;
1226 expr
= strip_expr(expr
);
1228 if (expr
->type
== EXPR_ASSIGNMENT
) {
1230 case SPECIAL_MUL_ASSIGN
:
1233 case SPECIAL_ADD_ASSIGN
:
1236 case SPECIAL_SHL_ASSIGN
:
1237 op
= SPECIAL_LEFTSHIFT
;
1242 } else if (expr
->type
== EXPR_BINOP
) {
1243 if (expr
->op
!= '*' && expr
->op
!= '+' && expr
->op
!= SPECIAL_LEFTSHIFT
)
1250 get_absolute_max(expr
->left
, &lmax
);
1251 get_absolute_max(expr
->right
, &rmax
);
1253 if (sval_binop_overflows(lmax
, op
, rmax
))
1256 res
= sval_binop(lmax
, op
, rmax
);
1257 if (sval_cmp(res
, sval_type_max(type
)) > 0)
